SQL Injection - The Unknown Story

SQL Injection – The Unknown Story Rob Rachwald, Director of Security Strategy, Imperva Live Webinar - October 26, 2011

Agenda

SQL Injection: A Short Primer

SQL Injection Today +Attack Statistics

+Attack Process

+Attack Tools

Mitigation Checklist

Today’s Presenter

Rob Rachwald, Dir. of Security Strategy, Imperva

Research +Directs security strategy

+Works with the Imperva Application Defense Center

Security experience +Fortify Software and Coverity

+Helped secure Intel’s supply chain software

+Extensive international experience in Japan, China, France, and Australia

Thought leadership +Presented at RSA, InfoSec, OWASP, ISACA

+Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

SQL Injection Primer

Reason for Data Loss from Hacking: 2005-2011

SQL injection 83%

Other 17%

Total=315,424,147 records (856 breaches)

Source: Privacy Rights Clearinghouse

Total Web Application Vulnerabilities

: # of websites (estimated: July 2011)*

# of vulnerabilities**

357,292,065

230 x

1%

821,771,600 vulnerabilities in active circulation

*Source: http://news.netcraft.com/archives/2011/07/08/july-2011-web-server-survey.html **Source: https://www.whitehatsec.com/home/resource/stats.

:

How Many SQL Injections?

What About SQL Injections?

10%? 82,177,160

20%? 164,354,320

30%? 246,531,480

821,771,600 vulnerabilities in active circulation

SQL Injection Means Business, Literally

SQL Injection: Defined

SQL Injection: Technical Impact

Retrieve sensitive data from the organization

Steal the site’s administrator password

Lead to the downloading of malware

SQL Injection: Business Impact

Breach Date March 15, 2011

Breach Date January 19, 2009

SQL Injection Today: Attack Stats

Still a Very Relevant Attack

On average, we identified 53 SQLi attacks per hour and 1,093 attacks per day.

SQL Injections By the Hour

Majority of Attacks from Small Number of Hosts

41% of all SQLi attacks originated from just 10 hosts

SQL Injection Today: Attack Process

Hackers Increasingly Bypass Simple Defenses

1'/**/aND/**/'8'='3

1 DeClARe @x varchar(99) set @x=0x77616974666f722064656c61792027303a303a323027 exec(@x)--

concat() and char()

x' wAiTfOr dELay '0:0:20'--

Getting Started

Option 1a: Dorking +Intent: Find something generally vulnerable

Option 1b: General purpose scanner +Intent: Find something specifically vulnerable

Step 1a: Google Dorks

Step 1a: Google Dorks

What is It? A google search term targeted at finding vulnerable websites.

How Does It Work?

An attacker armed with a browser and a dork can start listing potential attack targets. By using search engine results an

attacker not only lists vulnerable servers but also gets a pretty accurate idea as to which resources within that server are

potentially vulnerable.

Dorking in Action

Automated Dorking (Desktop)

Carrying Out Attacks via Compromised Hosts

Dork Power: Queries Per Hour

Dork Power: Queries Per Day

Dorking in Action (Non SQL Example)

Dork Origins

Country # of Dork Queries % of Dork Queries Islamic Republic of Iran 227,554 41 Hungary 136,445 25 Germany 80,448 15 United States 19,237 3.5 Chile 17,365 3 Thailand 16,717 3 Republic of Korea 11,872 2 France 10,906 2 Belgium 10,661 2 Brazil 7,559 1.5 Other 8,892 2

Step 1b: Scanners

Choose the target site

Scan it with scanner to find vulnerabilities

Expand the vulnerability into full blown exploit

Step 1b: Automated Scanning, Service

Step 1b: Automated Scanning, Service

Step 3: Automated Attack Tools

SQLmap

Havij

Automated Tools

Havij/SQLmap pick up where scanner stops and exploit the application

+Inserts sql statements

+Will not scan full app, just specific areas. Makes a small hole really big

+Fetches specific information, such as column data

SQLi Attack Vectors

Direct query manipulation

Discovering the database structure

Union Select SQL injection

Time-based blind SQL injection

Bypassing simple parameter sanitation

Step 4: Harvest

SQL Injection Today: Attack Tools

Main Automated Attack Tools

SQLmap

Havij

Attacks From Automated Tools

Mitigation Checklist

Step 1: Dork Yourself

Put detection policies in place (using the data source monitoring solution) to depict move of sensitive data to public facing servers.

Regularly schedule “clean ups”. Every once in a while, a clean-up should be scheduled in order to verify that no sensitive data resides in these publicly accessible servers.

Periodically look for new data stores that hold sensitive data. Tools exist today to assist in the task of detecting database servers in the network and classifying their contents.

Step 2: Create and Deploy a Blacklist of Hosts that Initiated SQLi Attacks

Positives +Blocks up to 40% of

attack traffic

+Easy

Negatives +Does not deal with the

underlying problem

Step 3: Use a WAF to Detect/Block Attacks

Positives +Can block many attacks

+Relatively easy

+Can accelerate SDLC

Negatives +Can become a crutch

+Potential for false positives

Step 4: WAF + Vulnerability Scanner

“Security No-Brainer #9: Application Vulnerability Scanners

Should Communicate with Application Firewalls”

—Neil MacDonald, Gartner

Source: http://blogs.gartner.com/neil_macdonald/2009/08/19/security-no-brainer-9-application-vulnerability-scanners-should-communicate-with-application-firewalls/

Apply SecureSphere policies based on scan results

Monitor attempts to exploit known vulnerabilities

Fix and test vulnerabilities on your schedule

Virtual Patching through Scanner Integration

Customer Site

Scanner finds vulnerabilities

SecureSphere imports scan results Monitor and protect

Web applications

Step 5: Stop Automated Attack Tools

Positives

+Detects automated tool fingerprints to block many attacks

+Relatively easy

Negatives +Potential for false

positives

Step 6: Code Fixing

Positives +Root cause fixed

+Earlier is cheaper

Negatives +Expensive, time

consuming

+Never-ending process

Summary: The Anti-SQL Stack

Code Fixing

Dork Yourself

Blacklist

WAF

WAF + VA

Stop Automated Attacks

About Imperva

Usage Audit

Access Control

Rights Management

Attack Protection

Reputation Controls

Virtual Patching

Our Story in 60 Seconds

Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link

ADC Research Report

Get LinkedIn to Imperva Data Security Direct for…

www.imperva.com